Configuring Local User Authentication via AAA

You would never let some stranger access your bank account so why would you ever let a stranger access your network devices? This lab talks discusses and demonstrates how to configure local user authentication using AAA list.

Core Knowledge

Lab Topology

Initial Configs

Lab Objectives

Lab Instruction

Core Knowledge and Real World Scenarios

Setting up user authentication on network devices to prevent unauthorized user access to the devices is a must. Just like you’d never setup your email account for everyone to access, you would never setup a network device to allow people to access because all your traffic traverses such devices.

One of the first steps in securing the control plane is controlling who can and cannot access the device’s operating system. This is done by creating a user database that contains credentials for those whom are authorized to access the device for administrative purposes. In most small businesses these credentials are stored on the local device themselves due to the cost and administrative overhead of deploying a Cisco ACS Server or RADIUS Server.

Local credentials are also used as a fail safe for enterprise companies that do have Cisco ACS Solutions just in case the authentication servers become unavailable to the authenticating device.

First to understand how to configure local user authentication using AAA, you must understand what AAA is.

AAA stands for Authentication, Authorization and Accounting. It is a mechanism build to authenticate, authorize and account for any action taken by a user on a given Cisco or non Cisco device.

The Authentication part controls exactly that, authenticating with username and passwords and even two factor authentication can be configured with Cisco ACS such as the addition of an RSA Token keyfob.

The Authorization portion controls what commands users whom have authenticated can execute. This is commonly used to allow level 1 support to read configuration and execute various show commands however when they attempt to execute commands above their pay grade pe se, they get the error “Command Authorization Failed”. Which basically means hey you cannot execute this command.

Finally we get to Accounting, this is a huge part of ensuring compliance with local, state and federal regulations such as HIPAA, SAS70, etc… As a business you must be able to account for any action taken on network devices such as who executed what command and when they did it and on what devices they did it on. This ensures that you have a full accountability log of every action taken on a device configured for accounting.

When it comes to Cisco devices, AAA is configured in a similar nature as to access-list. First you must enable AAA by using the aaa new-model command in global configuration.

After which you will then define your AAA list(s). This is done by defining what type of list you wish to make such as authentication, authorization or accounting. After you define what type of list you’re creating you then define what the list will be used for such as authentication for dot1x or authentication for login and so on.

So for example we’re going to define a login authentication list using AAA, now we need to either name the list or define the list as the default list which is basically a catch all. One the list is named you will then define how the list is executed. An example below is given of the AAA authentication list just described;

aaa authentication login CONSOLE_AUTHEN local

As you can see from the example given, the authentication list is defined as a login list and the name of the list is called “CONSOLE_AUTHEN” and it will authenticate to the local database.

The authentication methods can be local for the local datbaase, line for what is configured on the line such as line con0 and group which can be used to define a tacacs or radius server group.

For this lab we’re only going to be concentrating on the local database.

Keep in mind that if you enable aaa new-model on a Cisco device and do not define the authentication list(s), you can lock yourself out of the device once your current exec session times out.

Also be sure to define a username and password in the local user database by using the command username john privilege {1-15} secret password123

Without setting up authorization you will need to create an enable secret even if the user has level 15 privileges.

Now lets see all this mumbo jumbo in action shall we?

Familiarize yourself with the list of command(s) compiled below;

Command

Description

aaa new-model

This command when executed in global configuration mode will enable AAA.

aaa authentication login {list-name} {authentication methods}

This command when executed in glocal configuration defines the AAA Authentication list along with its authentication method parameters.

username {name} privilege {1-15} secret {secretpassword}

This command when executed in global configuration creates a user in the local user database which is used for local authentication by AAA if defined to use local authentication

To get started with this lab exercise please review the lab topology and prerequisites prior to loading initial configs and attempting the objective(s).

Lab Logical Topology

The following logical topology is used in all labs found through out Section 2 of the CCNA Security Workbook;

Lab Device Initial Configurations

Before you Start

This lab requires that you have access to a Cisco Router. You can complete this lab using a router in GNS3 or you can reserve free lab time on the Stub Lab to have access to a fully functional Cisco CCIE lab which has first generation Integrated Service Routers, 3560 Series Catalyst Switches, 5505 ASA Firewalls and 2650XM series backbone routers.

It is recommended that you load the initial configurations onto your device prior to attempting this lab.

Lab Objectives

In this lab you will complete the following objectives.

Configure a user on R1 with the username John with level 15 privileges with the password of Cisco.

Enable AAA on R1 and define a local authentication list named VTY_AUTHEN and authenticate this list to the local database.

Assign the newly created authentication list to the VTY Lines 0-4.

Verify your by telneting from SW1 to R1’s FastEthernet0/0 ip address.

One More Thing…

It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.

If you are a student preparing for the Cisco CCNA Security Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.

Lab Instruction

Objective 1. – Configure a user on R1 with the username John with level 15 privileges with the password of Cisco.

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username john privilege 15 secret Cisco
R1(config)#

Objective 2. – Enable AAA on R1 and define a local authentication list named VTY_AUTHEN and authenticate this list to the local database.